WannaCry might be the tip of the iceberg

June 2, 2017

Rick Holland, Vice President, Strategy, Digital Shadows

The attack on 200,000 plus computers across more than 120 countriesaround the world by the WannaCry ransomwarecertainly got the attention of governments, media, consumers and law enforcement. But the actual impact could have been so much worse.

Much ink is still being expended trying to determine who was responsible and what their motives were and many believe this might have been the act of inexperienced hackers who lost control of their creation. Certainly, at the time of writing, none of the ransom has been collected from the bitcoin accounts victims were encouraged to send their money too.

But while WannaCry could have been so much worse in impact, what is clear is that the base exploit code it uses was part of a batch stolen by Shadow Brokers in April 2017 from the US National Security Agency’s (NSA) Equation Group and potentially last month’s attack could be just the tip of the iceberg.

Earlier in May 2017 CERT EU (The EU’s Computer Emergency Response Team) reported on a worm identified in the wild which has reportedly spread using exploit code leaked by Shadow Brokers in a similar fashion to WannaCry. CERT EU referred to this malware as “BlueDoom”, but its internal name was reportedly “EternalRocks”.

In addition to the EternalBlue Server Message Block (SMB) exploit used by WannaCry, EnternalRocks has reportedly also employed at least three additional exploits leaked by the Shadow Brokers: EternalChampion, EternalRomance and EternalSynergy as part of its propagation process.

All three of these exploits were developed to target SMB remote code execution vulnerabilities in Windows XP, all of which were patched in Microsoft’s Apr 2017 MS17-010 release. However, unlike WannaCry, following a successful exploitation and subsequent deployment of the DOUBLEPULSAR backdoor on an infected machine the malware has reportedly not deployed any additional payload.

Why no payload is being deployed is unclear but we can speculate that EternalRocks was likely intended to be used to establish a presence on a large number of machines in order to facilitate the deployment of second-stage payloads sometime later. What that payload might be and what its function is are not clear and it remains to be seen how the actors responsible for developing this worm will exploit their access to infected machines.

What is clear is that this development highlights that the Eternal suite of Equation Group exploits and other technical assets leaked by the Shadow Brokers will almost certainly continue to pose a threatbeyond WannaCry. Users and organizations which have not already implemented the relevant Microsoft patches and mitigations on the back of EternalBlue are advised to do so quickly.

The writer Rick Holland is the Vice President of Strategy at Digital Shadows

editor@biznews.co.ke

Related

About the Author

Trust is my currency, biscuits are my best snacks. A business story by me that has sparked change, informed and made a positive difference is what makes me going. I yearn to achieve more through writing
Reach me via editor@biznews.co.ke

Twitter Updates

Be the first to know

Enter your email address to subscribe to this blog and receive notifications of new posts by email.